about freeradius support

Sergio Yébenes Moreno sergioyebenes at alumnos.upm.es
Sun Jun 29 19:46:52 CEST 2008 

David Wood escribió:
> Hi Sergio,
>
> In message <48676BB9.1040409 at alumnos.upm.es>, Sergio Yébenes Moreno 
> <sergioyebenes at alumnos.upm.es> writes
>> I'm configuring freeradius server with opensc client-side. I'd like 
>> to say if freeradius has support for PKCS#11.
>> In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and
>> TLS-Finished. This means that the server has authenticated but 
>> freeradius show TLS error because client do not send
>> certificate. I think it's because PKCS#11. I'm not sure, but I really 
>> need to know. I'm using
>> freeradius-server-2.0.4
>
> The server doesn't care where the certificates and private key are 
> stored on the client side; the use of PKCS#11 and a smartcard or token 
> is irrelevant and the server needs no special support for PKCS#11.
>
> The only way the use of the smartcard or token could change things is 
> if your supplicant needs the entire certificate chain on the smartcard 
> or token, and you've only loaded the certificate itself.
>
>
> The only reason the server would need PKCS#11 support is if the 
> server's certificate were on a smartcard or token. It's an intriguing 
> idea, but I have my doubts that a smartcard or token would keep up 
> with the demands placed on it.
>
>
> As Nicolas said, the debug log on the server side almost certainly 
> contains the answer to this - that's where you should be looking.
>
> Run radiusd -X and attempt to authenticate using wpa_supplicant and 
> your token or smartcard. What does the server's debug output say? If 
> you can see the server rejecting the authentication attempt, look back 
> for the reason. If the server accepts the authentication attempt, the 
> problem is elsewhere.
>
>
> Best wishes,
>
>
>
>
> David
Hi David

"The server doesn't care where the certificates and private key are 
stored on the client side; the use of PKCS#11 and a smartcard or token 
is irrelevant and the server needs no special support for PKCS#11."
That rules. It's true. I've seen in wpa_supplicant log that can't access 
to the private key (fuckin' key_id), but even so, client makes 
client_certificate, client_key_exchange, ....and tcpdump shows 
RADIUS-Access-Request....I'll ask for this at opensc-project but looks 
like you know about you're speaking. Do you know if freeradius can make 
ocsp request?
In 
/freeradius-server-2.0.5/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 
they mention ocsp protocol but in eap.conf there are nothing about this!!

Thanks

More information about the Freeradius-Users mailing list